Information Security Blog

Tackling Smart Grid Security – Back to Basics

Tackling Smart Grid Security – Back to Basics

energy-information-securitySmart Grid promises to radically change the face of energy technology today; however, along the way, it creates threat vectors that can leave utility companies vulnerable to a whole new realm of attacks. Besides these new threats, utility companies are also affected by the uncertain economic times, thus investments are receiving more scrutiny from local PUCs (Public Utility Commissions), as it becomes increasingly difficult to recover this cost from consumers. Fewer dollars devoted to securing the critical infrastructures and the increase in regulatory compliance enforcement, have security professionals scrambling; utility companies are being forced to trim development and maximize their budgets without extra resources.

Another threat is the lack of enforceable Smart Grid security standards for the power distribution grids; the only enforceable standard being circulated in the industry today, is the NERC CIP standard, which only applies to generation and transmission. There’s no shortage of great guidelines, such as, NISTIR 7628, NIST 800-82 (Industrial Control Systems Security), NIST 800-82 (Industrial Control Systems Security), Cyber Assessment Methods for SCADA Security, Guide to Critical Infrastructure Protection Cyber Vulnerability Assessment, and Security Framework for Control System Data Classification and Protection just to name a few, but the lack of enforceable standards leaves utilities not knowing where to go and confused about which guidelines are appropriate for their needs.

This wait-and-see approach, while Smart Grid technologies are being deployed in the grid, will only make interoperability among these technologies more difficult, as vendors are adopting their own security approaches and proprietary technologies.

What should you do?

Instead of taking the wait-and-see approach and continue deploying insecure devices in your infrastructure, while waiting to see if your vendor decides to implement security into their devices, go “back to basics”.

Identify assets, systems, networks, people and functions that are critical to your business; this information will be important for a risk assessment approach to security. Due to these doubtful economic times, utilities need to be diligent in the way they invest their money, and a risk-based approach is not only diligent, but provides a framework for continuous improvement to enhance protection of critical systems.

The best way to perform your first assessment or verify your current results is to engage a third-party, a consulting company that provides vulnerability and penetration test assessment services, with experience in the utility industry. (Utility experience is one requirement that you should make sure you put on your RFPs.)

Once you have your results, go back to your risk framework and prioritize based on which identified risks will have the most impact to the business if realized. This priority list, along with an educated assessment and justification, will provide management a strategic security plan to improve your security posture and implement a continuous improvement program.

Once your program has been approved, the process of developing and implementing effective protective measures can be broken down into three steps:

  • Determining needs;
    • Analyze your priority list and what tools and programs are needed.
  • Design your security program;
    • Design your protective program approach.
  • Develop your continuous improvement program;
    • Make sure you implement a repeatable strategy.

Last but not least, “measure.” Implementing repeatable processes requires that you measure their effectiveness and continue to improve them.

These steps will assist your organization in improving security while the industry works to find a standard approach that everyone in the energy industry can emulate. Meanwhile, remember this:

Identify – Assess – Prioritize – Implement – Measure

What is your security approach? I would like to hear from you, please leave a comment.


Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

About the Author:

John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.

Add a Comment

Share This